Google Analytics Hide Yet Another Cryptominer

This is a quick posts about yet another quite massive attack that installs CoinHive JavaScript Monero miners on compromised websites. You might have already read our blog posts on how such attacks were first detected and how they escalated after that.

The malicious code has a few of interesting features that help obfuscate its true nature:

1. use of a non-dotted decimal notation for the host name: 3104709642(which translates to 185 .14 .28 .10)

2. quite a common trick of using jQuery name as a script name: hxxp://3104709642/lib/jquery-3.2.1.min.js?v=3.2.11 (the script actually loads the obfuscated version of the CoinHive library)

3. use of Google Analytics related variable names (google_analytics, googleanalytics) instead of the suspicious miner, to make it look even more legit.

If you remove the layers of obfuscation, it’s still a typical CoinHive mining script that uses the NPRak9QU4lFBSneFt23qEIChh5r0SZev site id for the miner.

We decided to search for compromised sites with this script, but it turned out that the screenshot provided by Microsoft was not version of the script injected to websites. It was an already decoded version of the malicious script. The original code looks like this:

A quick search on PublicWWW revealed 1833 infected websites (as of Nov 22, 2017). We checked quite a few of them – they were all WordPress sites. Moreover, all the infected sites also shared the “cloudflare.solutions” malware (now it loads a keylogger script) that we wrote about this April.

This is a typical WordPress infection and you can use our guide to clean it or have us do it for you.

Originally written and posted by Denis Sinegubko at our Security Partner Sucuri.net